Hardening Wordpress File Permissions


I recently had to move a bunch of Wordpress sites. Wordpress, generally, is terribly insecure. Here are my notes for configuring and hardening Wordpress. Certainly these measures are incomplete. I gathered them from several sources. I write them here, for posterity, and so I don't forget in the future.

find ./ -type f -exec chmod 644 {} \;
find ./ -type d -exec chmod 755 {} \;

Add to /wp-content/uploads/.htaccess

# Kill PHP Execution
<Files ~ "\.ph(?:p[345]?|t|tml)$">
   deny from all

add to .htaccess

<files wp-config.php>
order allow,deny
deny from all
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
AddHandler application/x-httpd-php56 .php .php5 .php4 .php3

And of course:

chmod 660 wp-config.php

About the Author

Hi. My name is Jeremiah John. I'm a sf/f writer and activist.

I just completed a dystopian science fiction novel. I run a website which I created that connects farms with churches, mosques, and synagogues to buy fresh vegetables directly and distribute them on a sliding scale to those in need.

In 2003, I spent six months in prison for civil disobedience while working to close the School of the Americas, converting to Christianity, as one does, while I was in the clink.